Do you know where your secrets are? If not, I can tell you: you are not alone. Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases. It might sound ridiculous at first: keeping secrets is an obvious first thought when thinking about security in the development lifecycle. Whether in the cloud or on-premise, you know that your secrets are safely stored behind hard gates that few people can access. Developers working in your organization are well-aware that secrets should be handled with special care. Secrets sprawl everywhere in your systems, and faster than most realize. Secrets are copied and pasted into configuration files, scripts, source code, or private messages without much thought. Insufficient audit and remediation capabilities are some of the reasons why secrets management is hard. To take stock of your real security posture regarding secrets in your organization, take five minutes to answer the eight questions. Sound secrets management is a crucial defensive tactic that requires some thought to build a comprehensive security posture. The fundamental point addressed by this model is that secrets management goes well beyond how the organization stores and distributes secrets. That's why detection and remediation tools and policies, along with secrets storage and distribution, form the pillars of our maturity model. Going 0 to 1 is mostly about assessing the risks posed by insecure software development practices, and starting auditing digital assets for hardcoded credentials. At the intermediate level, secrets scanning is more systematic, and secrets are cautiously shared across the DevOps lifecycle. Another core consideration for this framework is that making it hard to use secrets in a DevOps context will inevitably lead to the bypassing of the protective layers in place. As with everything else in security, the answers lay between protection and flexibility. The idea is that the use of a secrets manager should not be seen as a stand-alone solution but as an additional layer of defense. Here are some questions that this model should raise in order to help you evaluate your maturity: how frequently are your production secrets rotated? How easy is it to rotate secrets? How are secrets distributed at the development, integration, and production phase? What measures are put in place to prevent the unsafe dissemination of credentials on local machines? Do CI/CD pipelines' credentials adhere to the least privileges principle? What are the procedures in place for when secrets are leaked? Reviewing your secrets management posture should be top of mind in 2023. First, everyone working with source code has to handle secrets, if not daily, at least once in a while. Secrets are no longer the prerogative of security or DevOps engineers. Second, if you don't find where your secrets are, hackers will. The risks posed to organizations failing to adopt mature secrets management practices cannot be overstated. Development environments, source code repositories and CI/CD pipelines have become favorite targets for hackers, for whom secrets are a gateway to lateral movement and compromise. Recent examples highlight the fragility of secrets management even in the most technologically mature organizations. In September 2022, an attacker got access to Uber's internal network, where he found hardcoded admin credentials on a network drive. The secrets were used for logging in to Uber's privileged access management platform, where many more plaintext credentials were stored throughout files and scripts. In August of the same year, the password manager LastPass fell victim of an attacker who gained access toits development environment by stealing the credentials of a software developer and impersonating that individual. In 2022, source code leaks have proven to be a true minefield for organizations: NVIDIA, Samsung, Microsoft, Dropbox, Okta, and Slack, among others, have been victims of source code leaks. Armed with these, attackers can gain leverage and pivot into hundreds of dependent systems in what is known as supply chain attacks. The company urged its customers to immediately change their passwords, SSH keys, or any other secrets stored on or managed by the platform. Still, victims need to find out where these secrets are and how they are being used to press the emergency button! They are all warning signs of the urgency to deal with hardcoded credentials and to dust off secrets management in general. Our hyper-connected services world relies on hundreds of types of keys, or secrets, to function properly. Knowing where your secrets are, not just in theory but in practice, and how they are used along the software development chain is crucial for security. To help you, we created a maturity model specifically about secrets distribution, leak detection, remediation process, and rotation habits. The first step is always to get a clear audit of the organization's security posture regarding secrets: where and how are they used? Where do they leak? How to prepare for the worst? This alone could prove to be a lifesaver in an emergency situation. Find out where you stand with the questionnaire and learn where to go from there with the white paper. In the wake of recent attacks on development environments and business tools, companies that want to defend themselves effectively must ensure that the grey areas of their development cycle are cleared as soon as possible.
This Cyber News was published on thehackernews.com. Publication date: Wed, 01 Feb 2023 03:54:03 +0000